\section{Scope}
The focus of this project is to design and implement a separation kernel, that
guarantees strong separation between subjects and can thus serve as a basis for
a component-based system. This section describes the issues that are considered
out of scope but mentioned nevertheless for the sake of completeness.

It is assumed that all untrusted subjects can potentially be subverted. The
kernel is solely concerned with the correct enforcement of a given system
policy, by only allowing intended information flows between subjects and
arbitrating resource access.

The following issues, while very important in the context of constructing a
high assurance system, are considered outside the scope of this thesis:

\begin{description}
	\item[System initialization] The kernel starts executing after the
		bootloader hands over execution. It is assumed that the system is set up
		and initialized properly. How the system is securely bootstrapped (e.g.
		using a trusted boot process) and initialized and how the integrity of
		the kernel is assured is not considered.
	\item[Hardware] It is assumed that hardware, such as the CPU, memory
		management unit and other devices, are working correctly according to
		their specification. Problems due to buggy or even malicious hardware
		are out of scope.
	\item[Physical attacks] Issues predicated on an attacker having physical
		access to the system are not considered.
	\item[Firmware] A modern PC contains firmware and many embedded controllers
		that are only partly (if at all) controllable by an operating system
		kernel. This includes technologies such as Intel AMT/ME, System
		Management Mode (SMM\index{SMM}) and the system
		BIOS\index{BIOS}\footnote{Basic Input/Output System}, which have access
		to sensitive system resources.
	\item[Policy validity] The separation kernel provides the mechanisms to
		enforce a user-defined policy. The focus is on the correct enforcement
		of a provided system configuration. The user is in charge of assuring
		the correctness and consistency of the overall system policy.
	\item[Communication] The separation kernel must provide a mechanism to
		establish directed communication channels between subjects.	It is
		however not the duty of the kernel to provide a	communication
		abstraction such as message passing or a remote procedure call (RPC)
		interface.
	\item[Recovery] How a system can be restored to a secure state after a
		compromise is out of scope.
\end{description}

These points must be considered and addressed when building a high assurance
system based on the separation kernel architecture.
